Hackers can now guess Visa credit card details in less than six seconds

Ever bought something online with your credit card, and thought you were safe? Think again, because it appears it’s never been easier for crooks to nip your bank credentials.

According to research from the University of Newcastle, there’s a gaping hole in credit card security that makes it easy for hackers to retrieve sensitive information. The researchers discovered that if guesses for the card’s CVC number are spread out between a lot of different websites, the card’s security systems aren’t triggered and the owner isn’t notified that a fraudulent activity might be taking place. The video above shows it only takes six seconds for a specially designed toolkit to reveal a card’s secure code.

By building up data gathered from guesses on different websites, the software is able to quickly compile information like the card’s expiry date, the holder’s address or postal code and CVC. The technique is rumored to have been used in an incident that involved 20,000 Tesco Bank account getting drained of their money earlier this month.

Only Visa cards are susceptible to the security flaw, as other card issuers like MasterCard track the hacker’s guessing efforts across different websites. The Visa ecosystem, however, isn’t setup to take actions on multiple websites into account.

Before publishing their findings in a paper published in IEEE Security & Privacy 2017, the researchers informed Visa, but the company unfortunately didn’t seem to take the findings too seriously, telling The Independent that “the research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.”

Credit cards are a perfect example of old technology still persisting in a modern world. As my esteemed colleague Bryan Clark wrote two months ago, the future of payment isn’t plastic, but can be found inside your smartphone or other highly secure devices.

The problem is that we’re not moving to a cardless world quickly enough. Systems like Apple Pay and Android Wallet aren’t available globally, and it would take some time before the technology eventually becomes available to everyone. As long as we continue to rely on the credit card system, it’s likely we’ll be experiencing security breaches like the one at Tesco Bank for a long time to come.